rule malware_windows_moonlightmaze_encrypted_keyloger
{
    meta:
        description = "Rule to detect Moonlight Maze encrypted keylogger logs"
        reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
        author = "Kaspersky Lab"
    strings:
        $a1 = {47 01 22 2A 6D 3E 39 2C}
    condition:
        ($a1 at 0)
}
